andre

Hi @all!

Regarding some rare articles on the Internet, it should be possible to join
a client to a domain using a regular domain join, whenever IPSec is activated
on the domain controllers - as far as the OS of all participating hosts is
Windows Server 2008 and Windows Vista or higher. For that I've to use the
NTLMv2 authentication, which is new in this OS versions.

I just created a connection security rule, which requires authentication for
all inbound communication with the NTLMv2 protocol. I have added the NTLMv2
computer authentication (optional) and as the second method I have added the
NTLMv2 user authentication (NOT optional). Further I created a inbound
firewall rule for any traffic, which says "allow". With this configuration,
it's not possible for me, to join a client to the domain. In my test lab I've
got just one DC (W2K8) and one client (Windows 7).

The client is not even able, to ask the DNS service on the DC about the
domain information. Yes: I understand this - but the articles telling me,
that it would work under Vista and higher. So: What I'm doing wrong and what
I missed to configure? In one of the rare articles, they are writing
something like: "By enabling the new feature in IPSec for Windows Vista and
Windows Server 2008 that automatically determines when to use IPSec, you no
longer havve to configure exemptions for domain controllers, simplifying
IPSec policy and deplayment of IPSec protection in a domain." - WHICH feature
AND HOW TO enable it???

Thanks a lot for clarification and help!

Regards,
Andre

msft ipsec ua2±ç
جrë,Š‰ìš+¢ÊµÊ&

Andre, can you provide a link to the article that you are quoting so we can
see more context?

Thanks!